Ubuntu
clamav package

Clamav modules still disabled even though security issues are fixed

Bug #317923 reported by Scott Kitterman
256
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
High
Unassigned
Dapper
Fix Released
High
Unassigned
Gutsy
Fix Released
High
Unassigned
Hardy
Fix Released
High
Unassigned

Bug Description

Binary package hint: clamav

We've patched the security issues in 0.92.1, but not re-enabled the relevant modules. Upstream has included and I've backported the patch.

Revision history for this message
Scott Kitterman (kitterman) wrote :
Download full text (5.9 KiB)

Here's the debug output showing the same modules enabled as we get in 0.94.whicheveronewe'reonnow.

LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug: * Submodule PARITE: On
LibClamAV debug: * Submodule KRIZ: On
LibClamAV debug: * Submodule MAGISTR: On
LibClamAV debug: * Submodule POLIPOS: On
LibClamAV debug: * Submodule MD5SECT: On
LibClamAV debug: * Submodule UPX: On
LibClamAV debug: * Submodule FSG: On
LibClamAV debug: * Submodule PETITE: On
LibClamAV debug: * Submodule PESPIN: On
LibClamAV debug: * Submodule YC: On
LibClamAV debug: * Submodule WWPACK: On
LibClamAV debug: * Submodule NSPACK: On
LibClamAV debug: * Submodule MEW: On
LibClamAV debug: * Submodule UPACK: On
LibClamAV debug: * Submodule ASPACK: On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug: * Submodule RAR: On
LibClamAV debug: * Submodule ZIP: On
LibClamAV debug: * Submodule GZIP: On
LibClamAV debug: * Submodule BZIP: On
LibClamAV debug: * Submodule ARJ: On ...

Read more...

Revision history for this message
Scott Kitterman (kitterman) wrote :

Debdiff verified in a Hardy chroot. Did not run the regression tests.

Changed in clamav:
importance: Undecided → High
status: New → Triaged
Scott Kitterman (kitterman)
Changed in clamav:
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
Revision history for this message
Scott Kitterman (kitterman) wrote :

Working on Gutsy/Dapper. This bug will apply to Intrepid/Jaunty as soon as 0.95 is released.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Added closes in changelog and renamed debdiff to include release name.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Debdiff for Gutsy. Also includes work from Bug #271546 not previously uploaded

Revision history for this message
Scott Kitterman (kitterman) wrote :

Debdiff for Dapper. Also includes work from Bug #271546 not previously uploaded

Jamie Strandboge (jdstrand)
Changed in clamav:
status: Triaged → In Progress
status: Triaged → In Progress
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks Scott. I've uploaded these to the security PPA and they will be published on Monday.

Changed in clamav:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1~gutsy3.1ubuntu2

---------------
clamav (0.92.1~dfsg2-1.1~gutsy3.1ubuntu2) gutsy-security; urgency=low

  [ Leonel Nunez ]
  * SECURITY UPDATE:
  * [CVE-2008-5314]: remote attack by sending a specially crafted JPEG file
    libclamav/special.c, libclamav/special.h, libclamav/scanners.c
  * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c: out-of-memory
    null dereferences
  * [CVE-2008-3914]: libclamav/htmlnorm.c, libclamav/others.c,
    libclamav/sis.c: fd leaks
  * [CVE-2008-3913]: freshclam/manager.c: memory leaks
  * added 29_CVE-2008-3912.dpatch 30_CVE-2008-3913.dpatch
     32_cli_check_jpeg_exploit.dpatch 31_CVE-2008-3914.dpatch
  * References: LP #271546, #304017

  [ Scott Kitterman ]
  * SECURITY UPDATE: re-enable modules disabled due to resolved security
    deficiencies:
  * References: Clamav svn commit 4550 LP: #317923

 -- Scott Kitterman <email address hidden> Sat, 17 Jan 2009 23:57:18 -0500

Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1ubuntu0.5

---------------
clamav (0.92.1~dfsg2-1.1ubuntu0.5) hardy-security; urgency=low

  * SECURITY UPDATE: re-enable modules disabled due to resolved security
    deficiencies:
  * References
  * Clamav svn commit 4550 LP: #317923

 -- Scott Kitterman <email address hidden> Fri, 16 Jan 2009 02:07:38 -0500

Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

clamav (0.92.1~dfsg2-1.1~dapper3.3) dapper-security; urgency=low

  [ Leonel Nunez ]
  * SECURITY UPDATE:
  * [CVE-2008-5314]: remote attack by sending a specially crafted JPEG
    file
    libclamav/special.c, libclamav/special.h, libclamav/scanners.c
  * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c:
    out-of-memory null dereferences
  * [CVE-2008-3914]: libclamav/htmlnorm.c, libclamav/others.c,
    libclamav/sis.c: fd leaks
  * [CVE-2008-3913]: freshclam/manager.c: memory leaks
  * added 29_CVE-2008-3912.dpatch 30_CVE-2008-3913.dpatch
     32_cli_check_jpeg_exploit.dpatch 31_CVE-2008-3914.dpatch
  * References: LP #271546, #304017

  [ Scott Kitterman ]
  * SECURITY UPDATE: re-enable modules disabled due to resolved security
    deficiencies:
  * References: Clamav svn commit 4550, LP #317923

Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

All of these issues are fixed in Intrepid and higher.

Changed in clamav:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.